Beruflich Dokumente
Kultur Dokumente
8.8Tbps
4.8Tbps 5.3Tbps
2.8Tbps 2.6Tbps
1.6Tbps
1.4Tbps
960Gbps
480Gbps
20-80Gbps 80Gbps
Height (RU) 6 8 16 34 45
Slots 2 6 11 10 20
Forwarding*
240Gbps 240Gbps 240Gbps 860Gbps 860Gbps
capacity/slot
Redundant Power Yes - AC/DC Yes - AC/DC Yes - AC/DC Yes – AC/DC Yes – AC/DC
4
MX960 COMPONENT REVIEW
Control Panel
SCB
MPC/MPC
MPC/MPC
RE
Air
Intake
Capacity Increase
Supports 160Gbps per slot initially
Fully redundant
Active model provides 240Gbps per slot 5.3Tbps per MX960
In Service Upgrade
Line Rate Ports on the
16x 10GE MPC
16x 10GE MPC
Enables line rate on all 16 ports
8 additional line rate ports upon SCB upgrade Investment Protection
Seamless fabric redundancy for all 16 ports
Characteristics
120Gbps bandwidth
Modular Design for future optics options
Form Factors
2 Ports (2x 1-Port MIC) of 100GE (CFP or CXP)
4 Ports (2x 2-Port MIC) of 40GE (QSFP)
20 Ports (2x 10-Port MIC) of 10GE (SFPP, WAN-PHY)
All MX Functionality
15 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
MX480 PLATFORM
8 slot chassis (6+2)
Physical size
Height: 8 rack units (about 1/6 rack)
MX480 Router
Depth: <800mm deep
Dependable hardware
Passive mid-plane
Redundant Routing Engines
Redundant switching fabric (1+1)
Distributed packet forwarding architecture
Redundant fan and power
Power and cooling
Side-to-side cooling
Holds single fan tray
Holds up to four power supplies (2+2 DC, 2+2 AC 240V, 3+1
AC 110V)
Rear-side power cabling
System capacity
8 slots: Two for fabric cards / Routing Engines
Up to 1.4 Tbps (full-duplex)
Dependable hardware
Passive mid-plane
Redundant Routing Engines (2+2 configuration)
Redundant switching fabric (1+1)
Distributed packet forwarding architecture
Redundant power
System capacity
4 slots: Two available for fabric cards / Routing Engines
Up to 480 Gbps (full-duplex)
System reuses existing SCBs, Routing Engines, and DPCs—common across all MX Series
platforms
17 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
17
JUNOS ACX SERIES INTRODUCTION
TERMINOLOGY & POSITIONING
ACX
Altius-M
ACX-4000
Altius-1 MX
ACX
MX960
MX480
MX80
Aggregation
Altius-1
Access/NTE ACX 4000 1H2013
ACX 2x00
Pre-Aggregation
ACX 1x00
10G capable
ACX1000 ACX2000
ACX4000
ACX1100 ACX2100
THE NEW BENCHMARK FOR ACCESS NETWORKS
60 Gbps platforms: 3x the performance of nearest competition
Industry’s only 10 GbE capable access router
Most flexible and adaptable service architecture
Automated service provisioning accelerates deployments
Only open access system for extensibility
Highest QoE with proven and deployed precision timing
Environmentally hardened with 65w Power over Ethernet (PoE)
FANs are not field replaceable and hence will require system to be brought
down and will trigger an RMA activity.
FANs consume extra power. About 7-8 watts extra for a 50W device (16%
extra power consumption).
© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Section Objectives
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 2
Host Subsystem Description
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 3
Host Subsystem Description
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 4
Host Subsystem Description
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 5
Host Subsystem Description
The host subsystem provides control and monitoring functions for the router.
These functions include:
• Determining Routing Engine mastership
• Controlling power and reset for the other router components
• Monitoring and controlling fan speed
• Monitoring system status
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 6
Host Subsystem Description
• Each host subsystem has three LEDs that display its status. The host
subsystem LEDs are located in the middle of the craft interface.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 7
Taking a Host Subsystem Offline
• Check Routing Engine LEDs in the middle of the craft interface. If the green
RE MASTER LED is lit, the corresponding host subsystem is functioning as
the master.
• Issue the following CLI command:
user@host> show chassis routing-engine
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 8
Taking a Host Subsystem Offline
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 9
Taking a Host Subsystem Offline
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 10
Taking a Host Subsystem Offline
• The SCB might continue forwarding traffic for approximately five minutes
after the request system halt command has been issued.
• For more information about the command, see the Junos System Basics
and Services Command Reference.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 11
Bringing a Host Subsystem Online
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 12
Bringing a Host Subsystem Online
• You can determine the current status of a host subsystem by issuing the
show chassis routing-engine command at the Junos software’s
command-line interface.
• If you want to switch the host subsystem that is functioning as master,
issue the request chassis routing-engine master switch command at
the Junos software’s CLI.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 13
Section Summary
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 14
MX Series Router Installation
and Initial Configuration
© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Section Objectives
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 16
Switch Control Board Description
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 17
Switch Control Board Description
• You can install up to three SCBs in the router. If two SCBs are installed,
one functions as the master SCB and the other as its backup. A third
installed SCB provides fabric redundancy, but no additional control or
routing functions. If the master fails or is removed, the backup restarts and
becomes the master.
• The SCBs install vertically into the front of the chassis in the slots labeled
0, 1, and 2/6
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 18
Switch Control Board Description
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 21
Removing a Switch Control Board
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 22
Removing a Switch Control Board
• Before removing or replacing an SCB, ensure that the ejector handles are stored
vertically and pressed toward the center of the SCB.
Operating and Positioning the SCB Ejectors
• When removing or inserting an SCB, ensure that the SCBs or blank panels in
adjacent slots are fully inserted to avoid hitting them with the ejector handles. The
ejector handles require that all adjacent components be completely inserted so the
ejector handles do not hit them, which could result in damage.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 23
Removing a Switch Control Board
• The ejector handles have a center of rotation and need to be stored toward the
center of the board. Ensure the long ends of the ejectors located at both the top and
the bottom of the board are vertical. For an ejector located at the top of the board,
press the ejector down toward the center of the board. For an ejector located on the
bottom of the board, press the ejector up toward the center of the board.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 24
Removing a Switch Control Board
• To insert or remove the SCB card, slide the ejector across the SCB vertically, rotate it
and slide it again another quarter of a turn. Turn the ejector again and repeat as
necessary. Utilize the indexing feature to maximize leverage and to avoid hitting any
adjacent components.
• Operate both ejector handles simultaneously. The insertion force on an SCB is too
great for one ejector.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 25
Removing a Switch Control Board
Removing an SCB
• The router can have up to three SCBs. They are located in the front of the chassis in
the slots marked 0, 1, and 2/6. With a Routing Engine installed, each SCB weighs
approximately 9.6 lb (4.4 kg).
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 26
Removing a Switch Control Board
• The SCB and Routing Engine are removed as a unit. You can also remove the
Routing Engine separately.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 27
Removing a Switch Control Board
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 28
Removing a Switch Control Board
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 29
Installing a Switch Control Board
• Attach an ESD grounding strap to your bare wrist, and connect the strap to one of
the ESD points on the chassis.
• Carefully align the sides of the SCB with the guides inside the chassis.
• Slide the SCB into the chassis, carefully ensuring that it is correctly aligned.
• Grasp both ejector handles and rotate them simultaneously clockwise until the SCB
is fully seated.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 30
Installing a Switch Control Board
• To verify that the SCB is functioning normally, check the LEDs on its faceplate. The
green OK/FAIL LED should light steadily a few minutes after the SCB is installed. If
the OK/FAIL LED is red, remove and install the SCB again. If the FAIL LED still lights
steadily, it indicates that the SCB is not functioning properly. Contact your customer
support representative.
To check the status of the SCB, use the CLI command:
user@host> show chassis environment cb
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 31
Section Summary
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 32
MX Series Router Installation
and Initial Configuration
© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Section Objectives
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 34
Routing Engine Description
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 35
Routing Engine Description
• The Routing Engine is an Intel-based PCI platform that runs the Junos Internet software.
Software processes that run on the Routing Engine:
• Maintain the routing tables
• Manage the routing protocols
• Control the router’s interfaces
• Control some chassis components
• Provide the interface for system management and user access
Each Routing Engine weighs approximately 2.4 lb (1.1 kg).
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 36
Routing Engine Description
• You can install one or two Routing Engines in the router. The Routing Engines
install into the front of the chassis in vertical slots directly into the SCBs labeled 0
and 1. If two Routing Engines are installed, one functions as the master and the
other acts as the backup. If the master Routing Engine fails or is removed, and the
backup is configured appropriately, the backup takes over as the master.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 37
Routing Engine Description
• A Routing Engine installed in SCB slot 2/6 is not powered, install a blank panel
instead.
• The Routing Engines are hot-pluggable. Each Routing Engine must be installed
directly into an SCB. A USB port on the Routing Engine accepts a USB memory
card that allows you to load Junos software.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 38
Routing Engine Description
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 39
Routing Engine Description
• USB port: Provides a removable media interface through which you can install the
Junos Internet software manually.
• Internal flash disk: Provides primary storage for software images, configuration
files, and microcode.
• Hard disk: Provides secondary storage for the log files, memory dumps, and for
rebooting the system, if the internal flash disk fails
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 40
Routing Engine Description
• LEDs: Each Routing Engine has four LEDs that indicate its status. The LEDs,
labeled MASTER, HDD, ONLINE, and FAIL are located directly on the faceplate of
the Routing Engine.
• Indicate disk activity for the internal IDE interface. They do not necessarily indicate
routing-related activity.
• The onscreen table describes the functions of the Routing Engine LEDs.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 41
Routing Engine Description
• HDD LED: Indicates disk activity for the hard disk drive.
• Routing Engine Interface Ports and Status Indicators
• In the center of the Routing Engine are three sets of ports that connect the
Routing Engine to one or more external devices on which system administrators
can issue Junos command-line interface (CLI) commands to manage the router.
These interfaces also provide information about Routing Engine status.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 42
Routing Engine Description
• Each Routing Engine has one 10/100-Mbps Ethernet port for connecting to a
management network, and two asynchronous serial ports—one for connecting to a
console and one for connecting to a modem or another auxiliary device.
• The ports with the indicated label in each set function as follows:
• AUX—Connects the Routing Engine to a laptop, modem, or other auxiliary device
through a cable with an RJ-45 connector.
• CONSOLE—Connects the Routing Engine to a system console through a cable
with an RJ-45 connector.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 43
Routing Engine Description
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 44
Routing Engine Description
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 45
Routing Engine Description
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 46
Routing Engine Description
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 47
Routing Engine Description
• For specific information about Routing Engine components (for example, the amount
of DRAM), issue the show chassis routing-engine command.
• If two Routing Engines are installed, they must both be the same hardware version.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 48
Tools and Parts Required
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 49
Removing a Routing Engine
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 50
Removing a Routing Engine
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 51
Removing a Routing Engine
• Router performance might change if the standby Routing Engine's configuration differs from
the former master's configuration. For the most predictable performance, configure the two
Routing Engines identically, except for parameters unique to a Routing Engine, such as:
• hostname defined at the [edit system] hierarchy level
• management interface (fxp0) defined at the [edit interfaces] hierarchy level.
• To configure Routing Engine-specific parameters- and still use the same configuration on
both Routing Engines, include the appropriate configuration statements under the re0 and
re1 statements at the [edit groups] hierarchy level and use the apply-groups statement.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 52
Removing a Routing Engine
• To maintain proper airflow through the chassis, do not leave an SCB installed in the
chassis without a Routing Engine for extended periods of time. If a Routing Engine is
removed, a replacement Routing Engine should be installed as soon as possible.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 54
Installing a Routing Engine
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 55
Installing a Routing Engine
• Slide the Routing Engine into the SCB until you feel resistance, and then press faceplate
of the Routing Engine until it engages the connectors.
• Press both the ejector handles inward to seat the Routing Engine. Once it is seated, the
Routing Engine automatically comes online.
• Tighten the captive screws on the top and bottom of the Routing Engine.
• The Routing Engine might require several minutes to boot.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 56
Installing a Routing Engine
• After the Routing Engine boots, verify that it is installed correctly by checking the
RE0 and RE1 STATUS LEDs on the craft interface.
• If the router is operational and the Routing Engine is functioning properly, the green OK
LED lights steadily.
• In case the red FAIL LED lights steadily, remove and install the Routing Engine again.
• If the red FAIL LED still lights steadily, the Routing Engine is not functioning properly.
Contact your customer support representative.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 57
Installing a Routing Engine
• To check the status of the Routing Engine, use the CLI command:
• user@host> show chassis routing-engine
Routing Engine status:
Slot 1:
Current state Backup
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 58
Section Summary
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 59
MX Series Router Installation
and Initial Configuration
© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Section Objectives
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 61
Dense Port Concentrator Description
• The Dense Port Concentrators (DPCs) are optimized for Ethernet density and are
capable of supporting up to 40 Gigabit Ethernet or 4 10-Gigabit Ethernet ports. The DPC
assembly combines packet forwarding and Ethernet interfaces on a single board, with
four 10-Gbps Packet Forwarding Engines. Each Packet Forwarding Engine consists of
one I-chip for Layer 3 processing and one Layer 2 network processor. The DPCs
interface with the power supplies and Switch Control Boards (SCBs).
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 62
Dense Port Concentrator Description
• The router has 11 dedicated DPC slots. DPCs install vertically in the front of the router.
The DPCs are numbered 0 through 11 left to right. An additional slot numbered 2/6
accepts either a DPC or an SCB. A DPC can be installed in any DPC slot on the router.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 63
Dense Port Concentrator Description
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 64
Dense Port Concentrator Description
• When you install a DPC in an operating router, the Routing Engine downloads the DPC
software, the DPC runs its diagnostics, and the Packet Forwarding Engines housed on
the DPC are enabled. Forwarding on other DPCs continues uninterrupted during this
process.
• If a slot is not occupied by a DPC, a DPC blank panel must be installed to shield the
empty slot and to allow cooling air to circulate properly through the router.
• Faceplates on DPCs for the MX960 router are labeled with the DPC type: 4x10GE or
40x1GE.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 65
Dense Port Concentrator Description
• Each DPC slot has a pair of LEDs that indicates its status. The DPC LEDs, labeled 0
through 11 and 2/6, are located along the bottom of the craft interface.
• If the DPC failed, the fail LED is a steady red. If the OK LED is blinking green, it
indicates that the DPC is starting up. If the DPC is functioning normally, the OK LED is
lit steadily green.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 66
Dense Port Concentrator Description
DPC Components
• Each DPC consists of the following components:
• DPC cover, which functions as a ground plane and a stiffener.
• Fabric interfaces.
• Two Gigabit Ethernet interfaces that allow control information, route information, and
statistics to be sent between the Routing Engine and the CPU on the DPCs.
• Two interfaces from the SCBs that enable the boards to be powered on and controlled.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 67
Dense Port Concentrator Description
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 68
Dense Port Concentrator Description
• LEDs on the 4–port 10–Gigabit Ethernet faceplate indicate the port status. LEDs are
labeled top to bottom 0/0 through 0/3.
• LEDs on the 40–port Gigabit Ethernet faceplate indicate the port status. LEDs are
labeled horizontally and top to bottom 0/0 through 0/5, 1/0 through 1/5, 2/0 through 2/5,
and 3/0 through 3/5.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 69
Dense Port Concentrator Description
• Two LEDs, located on the craft interface above the DPC, display the status of the DPC
and are labeled OK and FAIL.
Handling and Storing DPCs
This section explains how to avoid damaging the DPCs that you install into the router.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 70
Dense Port Concentrator Description
• Many components on the DPC are fragile. Failure to handle DPCs as specified in this
course can cause irreparable damage.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 71
Dense Port Concentrator Description
• Faceplate—Edge of the DPC that has connectors into which you insert the SFP or XFP
transceivers.
• Connector edge—Edge opposite the faceplate; this edge has the connectors that attach
to the midplane.
• Top edge—Edge at the top of the DPC when it is vertical.
• Bottom edge—Edge at the bottom of the DPC when it is vertical.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 72
Tools and Parts Required
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 73
Removing a Dense Port Concentrator
• The router holds up to twelve DPCs, which are installed vertically in the front of the
router. The DPCs are hot-insertable and hot-removable. When you remove a DPC,
the router continues to function, although the DPC being removed no longer
functions.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 74
Removing a Dense Port Concentrator
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 75
Removing a Dense Port Concentrator
• Attach an ESD grounding strap to your bare wrist, and connect the strap to one of the
ESD points on the chassis.
• Take the DPC offline by pressing its online/offline button. Hold the button until the LED
goes out.
• Alternately, you may also take the DPC offline by issuing the following CLI command:
• user@host>request chassis fpc slot slot-number offline
• Disconnect the cables from the DPC. If the DPC uses fiber-optic cable, immediately cover
each transceiver and the end of each cable with a rubber safety cap.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 76
Removing a Dense Port Concentrator
• Do not look directly into fiber interface transceivers or into the ends of fiber-optic
cables. Laser light from transceivers can cause irreversible damage to your eyes.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 77
Removing a Dense Port Concentrator
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 78
Removing a Dense Port Concentrator
• Avoid bending fiber-optic cable beyond its maximum bend radius. An arc smaller
than a few inches in diameter can damage the cable and cause problems that are
difficult to diagnose.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 79
Removing a Dense Port Concentrator
• Carefully secure each disconnected cable to the cable management system below the DPC
card cage to prevent the cables from developing stress points.
• Flip the ejector handles out of their seated position by pressing up on the top ejector and
down on the bottom ejector. Simultaneously turn both the ejector handles counterclockwise
to unseat the DPC.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 80
Removing a Dense Port Concentrator
• Grasp the handles and slide the DPC straight out of the card cage halfway.
• Place one hand around the front of the DPC and the other hand under it to support it.
Slide the DPC completely out of the chassis, and place it on the antistatic mat or in the
electrostatic bag.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 81
Removing a Dense Port Concentrator
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 82
Removing a Dense Port Concentrator
• When the DPC is out of the chassis, do not hold it by the ejector handles, bus bars, or
edge connectors. They cannot support its weight.
• Do not stack DPCs on top of one another after removal. Place each one individually in
an electrostatic bag or on its own antistatic mat on a flat, stable surface.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 83
Removing a Dense Port Concentrator
• If you are not reinstalling a DPC into the emptied DPC slot within a short time, install a
blank DPC panel over the slot to maintain proper airflow in the DPC card cage.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 84
Removing a Dense Port Concentrator
• After removing a DPC from the chassis, wait at least 30 seconds before
reinserting it, removing a DPC from a different slot, or inserting a DPC into a
different slot.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 85
Installing a Dense Port Concentrator
• Attach an ESD grounding strap to your bare wrist, and connect the strap to one of the ESD
points on the chassis.
• Place the DPC on an antistatic mat or remove it from its antistatic bag.
• Verify that each fiber-optic interface has a rubber safety cap covering the transceiver. If it
is not covered, cover the transceiver with a safety cap.
• Locate the slot in the DPC card cage in which you plan to install the DPC. If necessary,
remove the DPC blank plate.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 86
Installing a Dense Port Concentrator
• Orient the DPC so that the faceplate faces you, the text on the DPC is right-side up, and
the EMI strip is on the right-hand side.
• Lift the DPC into place and carefully align first the bottom and then the top of the DPC
with the guides inside the card cage.
• Slide the DPC all the way into the card cage until you feel resistance.
• Grasp both ejector handles and rotate them simultaneously clockwise until the DPC is
fully seated.
• If the DPC uses fiber-optic cable, remove the rubber safety cap from each transceiver
and cable, and insert the appropriate cables into the transceivers on the DPC.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 87
Installing a Dense Port Concentrator
• Do not look directly into a fiber-optic transceiver or into the ends of fiber-optic
cables. Fiber-optic transceivers and fiber-optic cable connected to a transceiver
emit laser light that can damage your eyes.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 88
Installing a Dense Port Concentrator
• Secure the cables so that they are not supporting their own weight. Place the
excess cable out of the way in a neatly coiled loop, using the cable management
system. Placing fasteners on a loop helps to maintain its shape.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 89
Installing a Dense Port Concentrator
• Never let cables hang free from the connector. Do not allow fastened loops of
cable to dangle, because this stresses the cable at the fastening point.
• Avoid bending fiber-optic cable beyond its minimum bend radius. An arc smaller
than a few inches in diameter can damage the cable and cause problems that are
difficult to diagnose.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 90
Installing a Dense Port Concentrator
• To bring the DPC online, press and hold the DPC online/offline button on the craft
interface until the green OK/FAIL LED lights steadily, which takes about 5
seconds.
• Alternately, you may also bring the DPC online by issuing the following CLI
command:
• user@host>request chassis fpc slot slot-number online
• For more information about the command, see the Junos System Basics and
Services Command Reference.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 91
Installing a Dense Port Concentrator
• After the OK LED turns green, wait at least 30 seconds before removing the DPC
again, removing a DPC from a different slot, or inserting a DPC in a different slot.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 92
Installing a Dense Port Concentrator
• You can also verify that the DPC is functioning correctly by issuing the show
chassis fpc and show chassis fpc pic-status commands described in Chapter
7 of the MX960 Hardware Guide, “Maintaining Hardware Components”.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 93
Section Summary
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 94
MX Series Router Installation
and Initial Configuration
© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Section Objectives
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 96
SFP/XFP Description
• SFPs and XFPs are removable optical transceivers. You can use any combination of
SFP or XFP types in a single DPC.
• SFPs and XFPs are hot-insertable and hot-removable.
• When you remove an SFP or XFP, the DPC continues to function, although the SFP
or XFP you removed no longer receives or transmits data.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 97
Tools and Parts Required
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 98
Removing an SFP/XFP
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 99
Removing an SFP/XFP
• Do not look directly into a fiber-optic transceiver or into the end of a fiber-optic cable.
Fiber-optic transceivers contain laser light sources that can damage your eyes.
• Carefully secure the disconnected cable to the cable management system below the
DPC card cage to prevent the cable from developing stress points.
• Avoid bending fiber-optic cable beyond its minimum bend radius. An arc smaller than
a few inches in diameter can damage the cable and cause problems that are difficult
to diagnose.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 100
Removing an SFP/XFP
• Attach an ESD grounding strap to your bare wrist, and connect the strap to one of
the ESD points on the chassis.
• Next, take the SFP or XFP to be installed out of its electrostatic bag and identify the
slot on the DPC where it will be installed.
• Verify that each transceiver is covered by a rubber safety cap. If it is not, cover the
transceiver with a safety cap.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 102
Installing an SFP/XFP
• Carefully align the SFP or XFP with the slots in the DPC. The connectors should
face the DPC.
• Slide the SFP or XFP until the connector is seated in the DPC slot. If you are unable
to fully insert the transceiver, make sure the connector is facing the right way.
• Remove the rubber safety cap from the transceiver and the end of the cable.
• Insert the cable into the transceiver.
• Verify that the status LEDs on the DPC faceplate indicate that the SFP or XFP is
functioning correctly.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 103
Section Summary
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 104
MX Series Router Installation
and Initial Configuration
© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Section Objectives
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 106
Craft Interface Description
• The craft interface allows you to view the MX960 Ethernet Services Router’s status
and troubleshooting information at a glance, and to perform many system control
functions. It weighs approximately 1.5lb (0.68 kg), is located on the front of the router
above the upper fan tray, and is hot-insertable and hot-removable.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 107
Craft Interface Description
• When the craft interface is removed, you cannot control or communicate with the
router using an external device. When you install the craft interface, allow several
minutes for the display to reflect the current state of the router.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 108
Craft Interface Description
At least one SCB must be installed in the router for the craft interface to obtain
power.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 110
Craft Interface Description
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 111
Craft Interface Description
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 112
Craft Interface Description
DPC LEDs
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 113
Craft Interface Description
SBC LEDs
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 114
Craft Interface Description
Fan LEDs
• The host interface has two alarm relay contacts for connecting the router to external
alarm devices. The alarm relay contacts are located on the upper right of the craft
interface above the DPC LEDs.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 115
Tools and Parts Required
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 116
Removing the Craft Interface
• Attach an ESD grounding strap to your bare wrist, and connect the strap to one of
the ESD points on the chassis.
• Detach any external devices connected to the craft interface.
• Loosen the captive screws at the top left and right corners of the craft interface
faceplate.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 117
Removing the Craft Interface
• Grasp the craft interface faceplate and carefully tilt it toward you until it is horizontal.
• Locate the latch on the inside of the craft interface that connects the cable to the
circuit board socket. Grasp both sides of the latch on the inside of the craft interface
and with your thumb and forefinger, gently press both sides of the latch to disengage
it.
• Put the craft interface into an electrostatic bag.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 118
Installing the Craft Interface
• Attach an ESD grounding strap to your bare wrist, and connect the strap to one of the
ESD points on the chassis.
• Grasp the craft interface with one hand and hold the bottom edge of the craft interface
with the other hand to support its weight.
• Align the red line along the bottom of the internal strap with the bottom of the
connector and snap gently into place.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 119
Installing the Craft Interface
• Align the bottom of the craft interface with the sheet metal above the DPC card cage
and press it into place.
• Tighten the screws at the top left and right corners of the craft interface faceplate.
• Reattach any external devices connected to the craft interface.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 120
Section Summary
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 121
MX Series Router Installation
and Initial Configuration
© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Section Objectives
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 123
Cooling System Description
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 124
Cooling System Description
• Both fan trays install horizontally above and below the DPC card cage. Each fan tray
contains six fans. The fan trays are interchangeable, and each weighs about 13 lb (5.9
kg).
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 125
Cooling System Description
• The host subsystem monitors the temperature of the router components. When the
router is operating normally, the fans function at lower than full speed. If a fan fails or
the ambient temperature rises above a threshold, the speed of the remaining fans is
automatically adjusted to keep the temperature within the acceptable range.
• If the ambient maximum temperature specification is exceeded and the system cannot
be adequately cooled, the Routing Engine shuts down the system by disabling output
power from each PEM.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 126
Cooling System Description
• There is a single intake in the front of the router. Air is pushed up through the DPC
card cage and through the upper fan tray, where it combines in a common exhaust
plenum and is exhausted out the upper rear of the system.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 127
Tools and Parts Required
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 128
Removing a Fan Tray
• Attach an ESD grounding strap to your bare wrist, and connect the strap to one of the
ESD points on the chassis.
• Before removing or replacing any component, ensure you are operating the ejector
handles properly and that they are stored correctly on all router components.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 129
Removing a Fan Tray
• Unwrap any cables on the cable management system and remove the cables from the
tray. Arrange the cables so that they do not block the front of the cable management
system and tray, and secure them with temporary fasteners so that they are not
supporting their own weight as they hang from the connector.
• If you are removing the lower fan tray, simultaneously pull the two releases
labeledPULL on the cable management system. Lift it up and outwards to lock it in
place to access the lower fan tray.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 130
Removing a Fan Tray
• Loosen the captive screw on each side of the fan tray faceplate.
• Grasp the handles and pull the fan tray out approximately 1–3 inches
• To avoid injury, keep the tools and your fingers away from the fans as you slide the
fan tray out of the chassis. The fans might still be spinning.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 131
Removing a Fan Tray
• When the fans stop spinning, press on the two latches located on the inside of the fan
tray.
• Place one hand under the fan tray to support it, and pull the fan tray completely out of
the chassis.
• Put the fan tray into an electrostatic bag.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 132
Installing a Fan Tray
• Attach an ESD grounding strap to your bare wrist, and connect the strap to one of the
ESD points on the chassis.
• Grasp the fan tray by its handles, and insert it straight into the chassis.
• Tighten the captive screws on each side of the fan tray faceplate to secure it in the
chassis.
• If you are installing the lower fan tray, unlock the cable management system and
move it to the fully lowered position.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 133
Section Summary
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 134
MX Series Router Installation
and Initial Configuration
© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Section Objectives
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 136
Air Filter Description
• The router has one air filter, located in the front of the chassis below the DPC card
cage. It installs horizontally above the front lower fan tray.
• The air filter weighs approximately 1 lb (0.5 kg).
• The air filter is hot-insertable and hot-removable.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 137
Removing the Air Filter
• Attach an ESD grounding strap to your bare wrist, and connect the strap to one of the
ESD points on the chassis.
• Unwrap any cables on the cable management system and remove the cables from the
tray. Arrange the cables so that they do not block the front of the cable management
system and tray, and secure them with temporary fasteners so that they are not
supporting their own weight as they hang from the connector.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 138
Removing the Air Filter
• Do not let fiber-optic cable hang free from the connector. Do not allow fastened loops
of cable to dangle, which stresses the cable at the fastening point.
• Simultaneously pull the two releases labeled PULL on the cable management
system.Lift it up and outwards to lock it in place to access the front air filter.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 139
Removing the Air Filter
• Simultaneously slide the latches on the outer edges of the air filter tray in towards the
center of the tray
• Slide the air filter tray out of the chassis.
• Lift the air filter out of the air filter tray.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 140
Installing the Air Filter
• Attach an ESD grounding strap to your bare wrist, and connect the strap to one of the
ESD points on the chassis.
• Ensure the air filter is right side up.
• Place the air filter into the air filter tray.
• Insert the air filter tray into the chassis by sliding it straight into the chassis until it
stops.
• Lower the cable management system back into position.
• Rearrange the cables in the cable management system.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 141
Section Summary
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 142
MX Series Router Installation
and Initial Configuration
© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Section Objectives
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 144
DC Power Supply Description
• In the DC power configuration, the router contains either two or four DC power
supplies located at the lower rear of the chassis in slots PEM0 through PEM3 (left to
right). You can upgrade your DC power system from two to four power supplies.
• The DC power supplies in slots PEM0 and PEM2 provide power to the lower fan tray,
DPC slots 6 through 11, and SCB slots 1 and 2. The DC power supplies in slots PEM1
and PEM3 provide power to the upper fan tray, DPC slots 0 through 5, and SCB slot
0.
• Each power supply weighs approximately 3.8 lb (1.7 kg), and is hot-insertable and hot-
removable.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 145
DC Power Supply Description
• Four power supplies provide full redundancy. If a DC power supply fails, its redundant
power supply takes over without interruption.
• Each DC power supply has a single DC input (–48 VDC and return) that requires a
dedicated 80 A (–48 VDC) circuit breaker for the maximum router hardware
configuration.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 146
DC Power Supply Description
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 147
DC Power Supply Description
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 148
DC Power Supply Description
• The power supply status is also reflected in two LEDs on the craft interface. In
addition, a power supply failure triggers the red alarm LED on the craft interface.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 149
Tools and Parts Required
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 150
Removing a DC Power Supply
• Make sure that the voltage across the DC power source cable leads is 0 V.
• Do not leave a power supply slot empty for more than a short time while the router is
operational. The power supply must remain in the chassis for proper airflow;
alternately, you may install a blank panel.
• After powering off a power supply, wait at least 60 seconds before turning it back on.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 151
Removing a DC Power Supply
• Attach an ESD grounding strap to your bare wrist, and connect the strap to one of the
ESD points on the chassis.
• Switch the circuit breaker on the power supply faceplate to the OFF position (O).
• Remove the clear plastic cover protecting the terminal studs on the faceplate.
• Loosen the captive screw on the cable restraint on the lower edge of the power supply
faceplate. Carefully move the power cables out of the way.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 152
Removing a DC Power Supply
• Do not touch the power connector on the top of the power supply. It can contain
dangerous voltages.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 154
Installing a DC Power Supply
• Make sure that the voltage across the DC power source cable leads is 0 V.
• There is no standard color coding for DC power cables. The color coding used by the
external DC power source at your site determines the color coding for the leads on the
power cables that attach to the terminal studs on each power supply. You must ensure
that power connections maintain the proper polarity. The power source cables might
be labeled (+) and (–) to indicate their polarity.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 155
Installing a DC Power Supply
• Attach an ESD grounding strap to your bare wrist, and connect the strap to one of the
ESD points on the chassis.
• Switch the circuit breaker on the power supply faceplate to the OFF position.
• Ensure that the release lever below the empty power supply slot is locked in the
counterclockwise position.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 156
Installing a DC Power Supply
• If necessary, pull the spring-loaded locking pin in the release lever away from the
chassis and turn the release lever counterclockwise until it stops. Let go of the locking
pin in the release lever. Ensure that the pin is seated inside the corresponding hole in
the chassis.
• Using both hands, slide the power supply straight into the chassis until the power
supply is fully seated in the chassis slot. The power supply faceplate should be flush
with any adjacent power supply faceplates.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 157
Installing a DC Power Supply
• The small tab on the metal housing that is controlled by the release lever must be
inside of the corresponding slot at the bottom of the power supply. This tab is used to
pull the power supply down in the chassis slot, prior to removing the power supply.
• While firmly pushing the handle on the power supply faceplate with one hand, use
your other hand to pull the spring-loaded locking pin in the release lever away from the
chassis and turn the release lever clockwise until it stops.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 158
Installing a DC Power Supply
• Let go of the locking pin in the release lever. Ensure that the pin is seated inside the
corresponding hole in the chassis.
• Remove the clear plastic cover protecting the terminal studs on the faceplate.
• Loosen the captive screw on the cable restraint on the lower edge of the power supply
faceplate. Remove the cable restraint.
• Remove the nuts and washers from the RTN (return) terminal studs.
• Attach the positive (+) DC power source cable lug to the RTN (return) terminal studs.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 159
Installing a DC Power Supply
• Secure the power cable lug to the terminal studs. Apply between 23 lb-in. (2.6 Nm)
and 25 lb-in (2.8 Nm) of torque to each nut.
• Remove the nuts and washers from the -48V (input) terminal studs.
• Attach the negative (–) DC source power cable lug to the –48-V (input) terminal.
• Secure the power cable lug to the terminal studs. Apply between 23 lb-in. (2.6 Nm)
and 25 lb-in (2.8 Nm) of torque to each nut.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 160
Installing a DC Power Supply
• The DC power supplies in slots PEM0 and PEM1 must be powered by dedicated
power feeds derived from feed A, and the DC power supplies in slots PEM2 and
PEM3 must be powered by dedicated power feeds derived from feed B. This
configuration provides the commonly deployed A/B feed redundancy for the system.
• Make sure the positive and negative DC power cables run properly through the left
and right sides of the cable restraint.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 161
Installing a DC Power Supply
• Tighten the cable restraint captive screws to hold the power cables in place. Verify
that the ground and power cabling are correct, they are not touching or blocking
access to router components, and they do not drape where people can trip on them.
• Replace the clear plastic cover over the terminal studs on the faceplate.
• Switch the circuit breaker on the power supply to the ON position and observe the
status LEDs on the power supply faceplate. If the power supply is correctly installed
and functioning normally, the PWR OK, BREAKER ON, and INPUT OK LEDs light
steadily.
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 162
Section Summary
© 2010 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL FSSMX960 www.juniper.net | 163
Junos Operating System
Fundamentals
12.0 12.1 …
J2320
TX Matrix
Routing Engine
RT FT The
Junos OS
Control Plane Internal Link
Forwarding Plane
FT
Frames/Packets In Frames/Packets Out
Packet Forwarding Engine
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4
Routing Engine
RT FT The
Junos OS
Control Plane
Forwarding Plane
Routing Engine
Control Plane
Forwarding Plane
FT
Frames/Packets In Frames/Packets Out
Packet Forwarding Engine
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6
Transit Traffic Processing
CPU
Control Plane
Forwarding Plane
FT
Frames/Packets In Frames/Packets Out
Packet Forwarding Engine
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 7
Exception Traffic Processing (1 of 2)
CPU
Control Plane
Forwarding Plane
Frames/Packets In
Frames/Packets Out
Routing Engine
CPU
Control Plane
Built-In Rate Limiting
Forwarding Plane
Frames/Packets In
Routing
Switching
Security
J Series
SRX Series
login: user
Password:
•The root user must start the CLI from the shell
• Remember to exit the root shell after logging out of the CLI!
router (ttyu0)
Operational mode:
•Monitor and troubleshoot the software, network
connectivity, and hardware
user@router> The > character identifies
operational mode
Configuration mode:
•Configure the device, including interfaces, protocols, user
access, and system hardware properties
[edit]
user@router# The # character identifies
configuration mode
user@router> clear ?
Possible completions:
amt Show AMT Protocol information
arp Clear address resolution information
auto-configuration Clear auto-configuration action
bfd Clear Bidirectional Forwarding Detection information
. . .
Syntax
address address {
arp ip-address (mac | multicast-mac) mac-address <publish>;
broadcast address;
...
Hierarchy Level
...
user@router> show i
• Ctrl+a
user@router> show interfaces
Cursor Position
• Ctrl+f
user@router> show interfaces
• Ctrl+e
user@router> show interfaces
Less Specific
clear configure help monitor set show …
…
More Specific database interface neighbor
commit
0
rollback n
1 2 ... 49
Bit Bucket
[edit]
user@router#
[edit]
user@router#
Less Specific
chassis interfaces protocols services system …
…
More Specific
area-range area_range interface nssa stub
[edit protocols]
user@router# [edit]
[edit]
user@router# [edit]
[edit]
user@router# edit system
services
[edit]
user@router# commit and-
quit
commit complete
Exiting configuration mode
user@router>
commit
0
rollback n
1 2 ... 49
Bit Bucket
• You can also specify a full path and filename or a URL (FTP and SCP)
[edit]
user@router# save path/filename
[edit]
user@router# save
ftp://user:password@router/path/filename
[edit]
user@router# save scp://user@router/path/filename
Factory-default configurations:
•Allow access through root account (no password)
•Include system logging to track system events
•Contain additional parameters that are platform dependent
MX480
EX8208
[edit]
user@router# set system root-authentication plain-text-
password
New password:
Retype new password:
[edit]
user@router# commit
commit complete
Initial configuration:
•Must include root password (restrictions exist):
[edit]
user@router# set system root-authentication plain-text-password
New password: ***
error: minimum password length is 6
error: require change of case, digits or punctuation
[edit]
Configuration mode prompt
root#
[edit system]
root# set host-name router
[edit system]
root# set root-authentication plain-text-password
New password:
Retype new password:
[edit system]
root# run set date 201204250900.00
Wed April 25 09:00:00 UTC 2012
[edit system]
root# set services ssh
[edit]
root# set interfaces interface name unit 0 family inet address 10.0.1.131/27
[edit]
root# set routing-options static route 10.0.1.0/24 next-hop 10.0.1.129
root@router>
[edit]
root@router# rollback rescue
load complete
Loads and activates the current
[edit] rescue configuration
root@router# commit
commit complete
Address information
Local database
•Name and password
•Individual accounts and home directories
RADIUS and TACACS+
•Centralized user management
•Users mapped to locally defined template users
Local
authentication
database
RADIUS or TACACS+
server
[edit]
user@router# show system authentication-order
authentication-order [ radius tacplus password ];
[edit]
user@router# show system authentication-order
authentication-order [ radius tacplus password ];
RADIUS server
Username = lab Password = lab123
[edit]
user@router# show system authentication-order
authentication-order [ radius tacplus ];
RADIUS server
Username = lab Password = lab123
[edit]
user@router# show system authentication-order
authentication-order [ radius tacplus ];
RADIUS server
Username = lab Password = lab123
Permissions
•Predefined sets of related commands
Allow and deny overrides
•Define exceptions for commands and configuration
statements that would otherwise be allowed or denied
•Can be specified using regular expressions
System logging:
•Uses UNIX syslog-style configuration syntax
• Primary syslog file is /var/log/messages
•Supports numerous facilities and severity levels
• The facility defines the class of log message and the severity level
determines the level of logging detail
•Provides local and remote logging support
• Remote logging (and archiving) recommended for troubleshooting
[edit]
user@router> file list /var/transfer/config detail
Destination filename format:
/var/transfer/config: host-name_juniper.conf.gz_YYYYMMDD_HHMMSS_UTC time
total 12
-rw-r----- 1 root wheel 1530 Apr 25 13:51 host_juniper.conf.gz_20120425_215150
instructor@server1.dx1.sv$pwd
/home/ftp/pub/archive
instructor@server1.dx1.sv$ls
host_juniper.conf.gz_20120425_215150
Response
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 21
SNMP Overview (2 of 2)
MIB:
•Used to define managed objects in a network device
•Designed in hierarchical tree structure
•Standard or enterprise specific
•Consists of object identifiers
Junos SNMP support:
•Versions 1, 2c, and 3
•Remote monitoring events, alarms, and history
Operation:
•Monitor the SNMP agent with NMS tools
•Monitor SNMP protocol using traceoptions, syslog, and
show commands
•MIB walks and gets are available from the CLI:
user@router> show snmp mib walk jnxOperatingDescr
jnxOperatingDescr.1.1.0.0 = midplane
jnxOperatingDescr.2.1.1.0 = Power Supply 0
jnxOperatingDescr.2.1.2.0 = Power Supply 1
jnxOperatingDescr.4.1.1.1 = FAN 0
jnxOperatingDescr.7.1.0.0 = FPC: EX3200-24T, 8 POE @ 0/*/*
jnxOperatingDescr.8.1.1.0 = PIC: 24x 10/100/1000 Base-T @ 0/0/*
jnxOperatingDescr.8.1.2.0 = PIC: 4x GE SFP @ 0/1/*
jnxOperatingDescr.9.1.0.0 = RE-EX3200-24-T
Junos CLI
SNMP LEDs
J-Web LCDs
Administratively disabled
router (ttyp0)
login: user
Password:
. . .
jinstall-12.1R1.9-domestic-signed.tgz
Junos images are digitally
Package Release Edition signed and compressed
Unified ISSU
• Enables you to upgrade between two different Junos OS releases
with no disruption on the control plane
• Eliminates network downtime during software image upgrades
• Reduces operating costs, while delivering higher service levels
• Allows fast implementation of new features
RE 0 RE 1
Master Backup
Data Flow
PFE
R1
ge-0/0/1
Network A ISP X
172.29.100.0/24 .1 .2 .1
172.30.25.0/30
192.168.63.14
Note: Routes with invalid or unreachable next hops will not become active!
Network A 172.29.0.0/22
172.29.0.0/24
.1 R1
Network B .1 ge-0/0/1
ISP X
172.29.1.0/24 .2 .1
172.30.25.0/30
.1
Network C
172.29.2.0/24
.1 R1
Network B .1 ge-0/0/1
ISP X
172.29.1.0/24 .2 .1
172.30.25.0/30
.1
Note: The default next hop for aggregate routes is reject, which sends an ICMP
unreachable message when a more specific contributing route does not exist.
.1 R1
Network B .1 ge-0/0/1
ISP X
172.29.1.0/24 .2 .1
172.30.25.0/30
.1
Network C
172.29.2.0/24
R1
Tier 1 ISP Customer X
Regional ISP
10.0.0.0/16 0/0
10.0.0.0/16
R2
R1
OSPF ge-0/0/1 ISP X
Area 0 .2 .1
172.30.25.0/30
R3
[edit policy-options]
user@R1# show policy-statement export-default Policy matches generated
term match-default { route defined on the previous
from { slide
protocol aggregate;
route-filter 0.0.0.0/0 exact;
} The protocol aggregate match condition is
then accept; used for aggregate and generated routes
}
10.0.0.0/16
R2
R1
OSPF ge-0/0/1
ISP X
Area 0 .2 .1
172.30.25.0/30
R3
inet.0:
…
23.0.0.0/8 orlonger -- disallowed
31.0.0.0/8 orlonger -- disallowed Prefixes are added to list
36.0.0.0/8 orlonger -- disallowed
Default list omitted
Note: Actual routing instance types vary between platforms; check product documentation for
support information.
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 24
Configuration Example
Physical Connection
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 29
Open Shortest Path First
OSPF ISP X
AS 64512
AS 64587
R2
R1
OSPF
Area 0
R3
R4
R1 R2
Link-State Request
Link-State Update
Link-State Acknowledgment
* Fields that must match to form an adjacency over a broadcast medium; a matching
network mask is not required for point-to-point links
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 5
Database Description Packet
Link-State Update
Link-State Acknowledgment
Link-State Update
Link-State Acknowledgment
Link-State Update
Link-State Acknowledgment
R1 R2
DD (Seq=y+n, Master)
Loading DD (Seq=y+n, Slave)
LS Request Full
LS Update
LS Request
LS Update
Full
Adjacencies
DR BDR
DR DR
OSPF adjacencies are only
formed with the DR and BDR.
DR BDR
DR BDR
Adjacencies
Area 0
Area 0
AS 65415
Areas
•An AS can be divided into smaller groups called areas
•LSA flooding can be constrained to an area, which
effectively reduces the size of the link-state database
•All routers maintain an identical copy of the link-state
database on a per-area basis
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 16
OSPF Routers
AS 65415
Intra-Area Routes
Stub Area Does not carry external routes
Special stub area that allows external and cannot contain ASBRs
routes to be advertised from the area
but not received from another area
Backbone
(0.0.0.0)
RIP
Default Route
External Routes BGP
Backbone
(0.0.0.0)
RIP
BGP
[edit protocols]
user@R1# show
ospf { Used for IPv4 routing environments
area <area-id> {
<area options>;
interface <interface-name> {
<interface options>;
}
}
}
ospf3 { Used for IPv4 or IPv6 routing environments
area <area-id> {
<area options>;
interface <interface-name> {
<interface options>;
}
}
}
Area 0.0.0.0
Area 0.0.0.1 Area 0.0.0.2
172.26.2.0/30
ge-1/0/0 ge-0/0/3 ge-0/0/1 ge-0/0/1 ge-0/0/3 ge-1/0/1
ge-0/0/1
[edit policy-options]
user@R1# show
policy-statement 2ospf { Redistribution policy is defined under
term match-direct-route { [edit policy-options] hierarchy.
from {
protocol direct;
route-filter 172.18.1.0/24 exact;
}
then accept;
}
}
[edit protocols]
user@R1# show
ospf {
export 2ospf; Redistribution policy is applied under
area 0.0.0.1 { [edit protocols ospf] hierarchy.
interface ge-1/0/0.0;
interface lo0.0;
}
}
Area 0.0.0.0
Area 0.0.0.1 Area 0.0.0.2
172.26.2.0/30
ge-1/0/0 ge-0/0/3 ge-0/0/1 ge-0/0/1 ge-0/0/3 ge-1/0/1
ge-0/0/1
Area 0.0.0.0
Area 0.0.0.1 Area 0.0.0.2
172.26.2.0/30
ge-1/0/0 ge-0/0/3 ge-0/0/1 ge-0/0/1 ge-0/0/3 ge-1/0/1
ge-0/0/1
Area 0.0.0.0
Area 0.0.0.1
172.26.2.0/30
ge-1/0/0 ge-0/0/3 ge-0/0/1 ge-0/0/1
ge-0/0/1
Problem Checklist
No neighbor detected Check physical and data link layer connectivity
Check for mismatched IP subnet/mask, area
number, area type, authentication, hello/dead
interval, or network type
Stuck in ExStart state Check MTU settings to ensure that they match
ge-1/0/0 ge-0/0/3
R1 - lo0: 192.168.1.1 R2 - lo0: 192.168.1.2
.1 172.26.1.0/30 .2
ge-1/0/0 ge-0/0/3
R1 - lo0: 192.168.1.1 R2 - lo0: 192.168.1.2
.1 172.26.1.0/30 .2
Receive errors:
410 area mismatches
17 mtu mismatches
81 Hellos received with our router ID
4-1
Egress
RSVP LSPs
B
G
I
PE 2 CE – B2
VPN B PE 1
Site 1 VPN A
Site 3
P PE 3
CE – B1
CE – A3
Hello messages
Discovery
TCP Session Establishment
Session
Initialization Messages
Advertise Receive
Incoming Outgoing
MPLS Table Label MPLS Table Label MPLS Table
In Out In Out In Out
(fe-0/0/2, 35) (so-0/0/1, 17) (so-0/0/1, 17) (so-0/0/3, 52) (so-0/0/3, 52) (at-0/2/0, 29)
Basic Discovery
Router A Router B
224.0.0.2, UDP port 646
Extended Discovery
Specific Address, UDP port 646
Router A Router B
TCP 3-way Handshake
(Passive) (Active)
10.0.1.1 10.0.1.2
Session Initialization
(Version, Label modes, Timer Values)
Session Initialization
(Version, Label modes, Timer Values)
Keepalives
r5 Loopbacks
10.0.8.4/30
.6 r5 = 10.0.3.5
r6 = 10.0.9.6
fe-0/0/1
r7 = 10.0.9.7
.9
10.0.8.8/30
.10
fe-0/3/1
r7
Router A Router B
LDP LDP
R7 RSVP R8
[edit]
lab@r7# show protocols mpls
label-switched-path test {
to 10.0.6.1;
ldp-tunneling;
no-cspf;
}
interface all;
[edit]
lab@r7# show policy-options policy-statement only-32
term first {
from {
route-filter 0.0.0.0/0 upto /31;
}
then reject;
}
then accept;
[edit]
lab@r7# show policy-options policy-statement block-one
term first {
from {
route-filter 10.10.255.6/32 exact;
}
then reject;
} This term prevents the negation of
term last { default LDP export policy!
then accept;
}
[edit]
lab@r7# show policy-options policy-statement block-one
term first {
from {
route-filter 10.10.255.6/32 exact;
}
then reject; This term prevents the negation of default LDP
} export policy!
term last {
then accept;
}
[edit]
lab@r7# show policy-options policy-statement connected-only
from protocol direct;
then accept;
[edit]
lab@r5# show protocols ldp
export block-one;
egress-policy connected-only;
deaggregate;
interface all;
10.222.32.0/24
injected into BGP
Blackhole traffic using 192.168.32.1/32
as next hop (independent) Denver
© 2008 Juniper Networks, Inc. All rights reserved. lo0: 192.168.56.1 27
LDP-IGP Synchronization (2 of 3)
The solution
•Until LDP is operational, advertise the link into the IGP with
maximum cost
•Once LDP is operational, advertise the link with normal cost
10.222.32.0/24
injected into BGP
Maximum cost advertised to reach
Montreal Denver
lo0: 192.168.56.1
Denver
lo0: 192.168.56.1
4-1
Extended IGP
User-defined constraints
influence path selection Explicit Route
•Bandwidth requirements*
•Hop count limitations (for fast
reroute)
RSVP Signaling
•Administrative groups (colors)
•Priority (setup and hold)*
•Explicit route (strict or loose)* * Can also be specified for non-CSPF-signaled LSPs
60 60
43 40
43
15
15
Which path
will a new LSP
with a 12-Mbps
bandwidth request take?
© 2008 Juniper Networks, Inc. All rights reserved. 14
Test Understanding: Most Fill
All links Fast Ethernet Available bandwidth ratio
IGP = IS-IS
All IGP path metrics equal
65
85
60
60 60
43 40
43
15
15
Which path
will a new LSP
with a 12-Mbps
bandwidth request take?
© 2008 Juniper Networks, Inc. All rights reserved. 15
An Interesting Question
All links 100% subscription factor
Each link shows reserved
bandwidth 500M 500M
IS-IS IGP; all paths equal metrics
Top and bottom links are
GE, middle links 5M
are FE
5M 5M
10M
10M
10M 10M
10M
Using
least-fill load 200M
200M
balancing, which
path will a new LSP
with a 4-Mbps bandwidth
request take? •Do you find this odd?
© 2008 Juniper Networks, Inc. All rights reserved. 17
Overview of Administrative Groups
Thirty-two named groups, 0 through 31—carried as
32-bit value in IGP updates
•Groups assigned to interfaces
Silver
San Gold
Francisco
Bronze
1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0
IGP Metrics
B 5
G 1
1 3 I
2
5
A E 6
2 1 3
2
3 6 D
H
C
F 3
4
B 5
G 1
1 3 I
2
5
A E 6
2 1 3
D
2
3
H
C
F 3
6 4
B 5
G 1
1 3 I
2
5
A E 6 3
2 1
D 2
3 H
C 6
F 3
4
B 5
G 1
1 3 2 I
5
A E 6 3
2 1
D 2
3 H
C 6
F 3
4
B 5
G 1
1 3 I
2
3
A E 6 1
2 1
D 2
3 H
C 6
F 3
4
B 5
G 1
1 3 I
2
3
A E 6 1
2 1
D 2
3 H
C 6
F 3
4
4-1
192.168.24.1
From: 192.168.16.1, State: Up, ActiveRoute: 1, LSPname: green
ActivePath: two (secondary)
LoadBalance: Random
Primary one State: Dn
Priorities: 6 6
Bandwidth: 35Mbps
Will be enqueued for recomputation in 21 second(s).
51 Mar 25 19:53:39 Requested bandwidth unavailable
50 Mar 25 19:53:39 CSPF: computation result accepted
49 Mar 25 19:53:39 Deselected as active
48 Mar 25 19:53:39 Requested bandwidth unavailable
47 Mar 25 19:53:39 Session preempted
46 Mar 25 19:53:39 Down
45 Mar 25 19:51:12 Selected as active path
44 Mar 25 19:51:12 Record Route: 10.0.16.2 S 10.0.1.1 S 10.0.24.2 S
43 Mar 25 19:51:12 Up
42 Mar 25 19:51:12 Originate Call
ISIS Metric 20
Tokyo London
lo0: 192.168.20.1 ISIS Metric 20 lo0: 192.168.28.1
ISIS Metric 50
SanJose Montreal
lo0: 192.168.0.1 lo0: 192.168.2.1
label-switched-path Red {
to 192.168.24.1;
priority 6 6;
bandwidth 10M;
}
Given that all links with existing LSPs have less than 10 M
available, which LSP(s) can be preempted by LSP Red?
© 2008 Juniper Networks, Inc. All rights reserved. 10
Motivations for Fast Reroute
Ask yourself these questions:
•Is there a way to get quicker failover in the event of primary
LSP failure?
•How can I reduce packet loss when I lose my primary LSP?
Primary path
San
Francisco Phoenix
San
Francisco Phoenix
[edit]
lab@dc# show protocols mpls . . .
label-switched-path test { path bottom {
to 192.168.24.1; 192.168.8.1 loose;
fast-reroute; 192.168.12.1 loose;
primary top; }
secondary bottom { path top {
bandwidth 75m; 192.168.0.1 loose;
priority 5 5; 192.168.2.1 loose;
standby; }
}
}
. . .
Fargo
New York
B F
Shared
Link
Ingress Egress
A C E G
LSR LSR
D H
Session 1
Session 2
SanJose Montreal
lo0: 192.168.0.1 lo0: 192.168.2.1
Denver
[edit protocols mpls]
lab@HongKong# show label-switched-path to-AM
to 192.168.24.1;
bandwidth 85m;
no-cspf;
primary Blue {
adaptive;
}
secondary Green {
standby;
adaptive;
}
Tokyo London
lo0: 192.168.20.1 lo0: 192.168.28.1
HongKong Amsterdam
lo0: 192.168.16.1 lo0: 192.168.24.1
SanJose Montreal
lo0: 192.168.0.1 lo0: 192.168.2.1
192.168.24/24
192.168.25/24
Note: Bidirectional 192.168.26/24
192.168.27/24
reachability MUST exist 200.0.5.0/24
Denver
lo0: 192.168.5.1
Sydney SaoPaulo
Dallas
lo0: 192.168.8.1 lo0: 192.168.12.1
HongKong Amsterdam
lo0: 192.168.16.1 lo0: 192.168.24.1
SanJose Montreal
lo0: 192.168.0.1 lo0: 192.168.2.1
192.168.24/24
192.168.25/24
192.168.26/24
192.168.27/24
200.0.5.0/24
Denver
lo0: 192.168.5.1
Sydney SaoPaulo
Dallas
lo0: 192.168.8.1 lo0: 192.168.12.1
policy-options { routing-options {
policy-statement lsp-policy { forwarding-table {
term first-route { export lsp-policy;
from { }
route-filter 192.168.48.0/24 exact; }
}
then {
install-nexthop lsp TO-to-SP;
accept;
}
}
term second-route {
from {
route-filter 192.168.49.0/24 exact;
}
then {
install-nexthop lsp TO-to-SP-2;
accept;
}
}
}
} Juniper Networks, Inc. All rights reserved.
© 2008 33
Traffic Engineering bgp-igp
LSP end points normally installed into inet.3 table
•Usable only by BGP for next-hop resolution
Provides TE for internal destinations
•Moves all inet.3 prefixes into inet.0
•IGP can now use all LSPs
Configured at the [edit protocols mpls]
hierarchy
[edit protocols mpls]
lab@Tokyo# set traffic-engineering ?
Possible completions:
bgp BGP destinations only
bgp-igp BGP and IGP destinations
bgp-igp-both-ribs BGP and IGP destinations with routes in both routing tables
mpls-forwarding Use MPLS routes for forwarding, not routing
[edit]
lab@dc# show protocols mpls
statistics {
file test;
auto-bandwidth;
}
label-switched-path MO-SY {
to 192.168.8.1;
install 192.168.16.0/32 active;
auto-bandwidth;
}
192.168.8.1
From: 192.168.2.1, State: Up, ActiveRoute: 6, LSPname: MO-SY
ActivePath: PATH-4 (primary)
LoadBalance: Random
Autobandwidth
AdjustTimer: 86400 secs
Max AvgBW util: 0bps, Bandwidth Adjustment in 86395 second(s).
*Primary PATH-4 State: Up
1 5
IP TTL 18 IP TTL 14
4
MPLS TTL 17
2
IP TTL 18 IP TTL 15
MPLS write back to IP Header
1 5
IP TTL 18 IP TTL 16
4
2 MPLS TTL 255
IP TTL 17 IP TTL 17
MPLS does not write back to IP header
1 5
IP TTL 18 IP TTL 16
4
MPLS TTL 255
2
IP TTL 17 IP TTL 17
MPLS does not write back to IP header
Uses IP infrastructure
•Can be shared with Internet services
Increasing importance of IP/MPLS (not ATM/Frame
Relay)
Subscriber benefits:
•Lower operational expenses
•Single network connection for multiple services
Provider benefits:
•Multiservice infrastructure
•Creates additional source of revenue
CPE-VPNs: CPE-VPN
PE
•L2TP and PPTP Site 1 Site 3
•VPLS
• BGP signaled VPLS
• LDP signaled VPLS
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4
CPE-VPNs: L2TP and PPTP
Application: Dial access for remote users
•Layer 2 Tunneling Protocol
• RFC 2661
• Combination of L2F and Point-to-Point Tunneling Protocol
•Point-to-Point Tunneling Protocol
• Bundled with Windows and Windows NT
•Authentication during setup
•IPsec can operate over PPP for stronger security
Dial Access L2TP Access
Server Server
V.x Modem L2TP Tunnel
Public Internet
Site 1 Site 2
CPE PE PE CPE
Layer 3 characteristics
•Provider’s routers participate in customer’s Layer 3 routing
•Provider’s routers manage VPN-specific routing tables,
distributes routes to remote sites
•CE routers advertise their routes to the provider
Layer 2 characteristics
•Customer maps its Layer 3 routing to the circuit mesh
•Provider delivers Layer 2 circuits to the customer, one for
each remote site
•Customer routes are transparent to provider
Subscriber:
•Offload routing complexity to provider
•Suits enterprises that do not want to build core routing
competency into their organizations
Provider:
•VPN-specific routing information is not maintained on all
backbone routers
•Value-added service (revenue opportunity)
Site 3
DLCI 608
PE CE
MPLS Core
PE
CE CE
VPN A VPN A
Site 2 Site 4
PE
P CE
P
VPN A CE VPN A
PE CE
VPN B CE PE VPN B
CE routers:
•Located at customer premises
•Provide access to the service provider network
•Can use any access technology or routing protocol for the
CE/PE connection
PE
P CE
P
VPN A CE VPN A
PE CE
VPN B CE PE VPN B
PE routers:
•Maintain VPN-specific forwarding tables
•Exchange VPN routing information with other PE routers
using BGP
•Use MPLS LSPs to forward VPN traffic
PE
P CE
P
VPN A CE VPN A
PE CE
VPN B CE PE VPN B
P routers:
•Forward VPN data transparently over established LSPs
•Do not maintain VPN-specific routing information
PE CE
VPN B CE PE VPN B
10.1/16
VPN A
10.1/16 Site 2
VPN A CE–A1 10458:22:10.1/16 CE–A2
?
Site 1
PE 2
PE 1
VPN B 10458:23:10.1/16
Site 1
CE–B2 VPN B
CE–B1 Site 2
10.1/16
10458:23:10.1/16
10.1/16
3 VPN RED Export
IP
10.1/16
10.1.2.3
The inner label is removed at the egress PE router
The native IPv4 packet is sent to the outbound
interface associated with the label
Preliminary steps:
•Choose and configure the IGP for PE and P routers
•Configure MP-BGP peering among PE routers
• Must include VPN-IPv4 NLRI capability
•Enable the label-switched path signaling protocols
•Establish LSPs between PE routers
The PE routers perform VPN-specific configuration
[edit]
user@R1# show protocols bgp
group my-int-group {
type internal;
local-address 192.168.1.1;
family inet {
unicast;
}
family inet-vpn {
unicast;
}
neighbor 192.168.1.3;
}
[edit policy-options]
user@R1# show
policy-statement import-cust-a {
term 1 {
from protocol bgp;
then {
community add cust-a;
accept;
}
}
}
community cust-a members 65101:1;
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 18
AS Override
Use the as-override option when CE routers
belong to the same AS
•Causes the PE router to overwrite CE’s AS number with the
provider’s AS number (two provider AS numbers in AS path)
The autonomous-system loops n option can
also be used on the CE router
• advertise-peer-as needs to be configured on the PE
remove-private can also work if private AS
numbers are in use Provider Core
AS 65512
Site 1 Site 2
OSPF Area 0
AS 65101 AS 65101
R1 R2 R3
Site 1 .2 .1 .1 .2 .2 .1 .1 .2 Site 2
10.0.10.0/24 172.22.210.0/24 172.22.212.0/24 10.0.11.0/24
CE-A PE P PE CE-B
lo0 192.168.11.1 Route-192.168.11.1 Route-192.168.11.1 lo0 192.168.11.2
AS Path 65101 I AS Path 65512 65512 I
user@R1> show ospf database instance vpn-a Router LSA for local CE, local PE,
remote PE, and remote CE routers
OSPF database, Area 0.0.0.0
Type ID Adv Rtr Seq Age Opt Cksum Len
Router 192.168.11.1 192.168.11.1 0x80000006 2386 0x22 0xf799 48
Router 192.168.11.2 192.168.11.2 0x80000007 59 0x22 0x1279 48
Router *192.168.11.3 192.168.11.3 0x80000006 2376 0x22 0x9a6f 48
Router 192.168.11.4 192.168.11.4 0x80000006 2377 0x22 0x8a7c 48
Network 10.0.10.2 192.168.11.1 0x80000002 450 0x22 0x1ba5 32
Network 10.0.11.2 192.168.11.2 0x80000002 343 0x22 0x229a 32
[edit policy-options]
user@R1# show
...
policy-statement export-vpn-a {
term 1 {
from protocol ospf;
then {
community add vpn-a;
community add domain-a;
accept;
}
}
term 2 {
then reject;
}
}
community domain-a members domain-id:1.1.1.1:0;
community vpn-a members target:65512:101;
OSPF Area 0
51 R1 R2 R3 51
Provider Core
PE1 P PE2
Site 1 Site 2
CE-A CE-B
Core Problems:
PE-CE Problems: PE-CE Problems:
IGP
IGP/EBGP IGP/EBGP
MPLS (RSVP/LDP)
Policy Policy
IBGP
Data Forwarding
Network characteristics:
•192.168.x.y loopback addresses
•IGP is single-area OSPF
•RSVP signaling between PE devices, LSPs established between
PE routers (CSPF not required)
•Full MP-IBGP mesh between PE routers, loopback peering,
VPN-IPv4 NLRI
•CE-PE link running EBGP
•Full-mesh Layer 3 VPN between CE-A and CE-B
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4
PE-PE Troubleshooting
routes VPN 1
PE-2
VPN50
•Add additional VPN route VPN150 PE-1
P P
reflectors for VPNs as PE-3
needed
•PE routers peer with as P P
PE-1 PE-3
PE-2
VPN-A VPN-B
CE-A PE-1 PE-2 CE-B
192.168.1.1 192.168.1.2
AS 65512
RR-1
192.168.1.3
VPN-A VPN-B
CE-A PE-1 PE-2 CE-B
192.168.1.1 192.168.1.2
AS 65512
VPN-A VPN-B
CE-A PE-1 PE-2 CE-B
192.168.1.1 192.168.1.2
AS 65512
target:65512:100 target:65512:200
VPN-A VPN-B
CE-A PE-1 PE-2 CE-B
192.168.1.1 192.168.1.2
AS 65512
target:65512:100 target:65512:200
65512:65512:100/96
*[RTarget/5] 00:11:19
Local
[BGP/170] 00:03:31, localpref 100, from 192.168.1.3
AS path: I
> to 172.22.210.2 via ge-1/0/0.210
65512:65512:200/96
*[BGP/170] 00:03:31, localpref 100, from 192.168.1.3
AS path: I
> to 172.22.210.2 via ge-1/0/0.210
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 12
Route Target Filtering (5 of 5)
VPN-B routes tagged with:
target:65512:200
RR-1
192.168.1.3
VPN-A VPN-B
CE-A PE-1 PE-2 CE-B
192.168.1.1 192.168.1.2
AS 65512
target:65512:100 target:65512:200
Source X
Destination Y Y
PE-1 P1 P2 P3 PE-2
Packet Labels:
Outer Label: RSVP
LDP-Signaled LSP Middle Label: LDP
RSVP-Signaled LSP Inner Label: VPN
[edit]
user@P1# show protocols ldp
interface ge-0/0/0.0;
interface lo0.0;
Public Internet
Customer
Site 1 Provider VPN
Customer
Site 3
PE-1 P1 P2 P3 PE-2
Customer
Site 2
Internet traffic
Customer Customer
Site 1 Site 2
PE-1 P1 P2 P3 PE-2
Internet traffic
Customer Customer
Site 1 Site 2
PE-1 P1 P2 P3 PE-2
VPN Provider
VPN/Internet traffic VPN traffic
Option 2.2:
•Some or all Internet routes maintained in VRF table on PE
• Routes matching non-VPN addresses are directed to the main
routing table for lookup using the next-table operation
•Requires a separate logical link between CE and PE router
for carrying return traffic from the Internet (which presents
scaling problems if VRF tables maintain a full set of routes)
• PE probably maintains a 0/0 plus a small number of other Internet
routes per VRF table with this option
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 22
Accessing the Public Internet: Option 2.3
Internet
Internet traffic
Customer Customer
Site 1 Site 2
PE-1 P1 P2 P3 PE-2
VPN Provider
VPN/Internet traffic VPN traffic
Option 2.3:
•Single interface for VPN and Internet access
•Requires that:
• Either VPN has no private addresses or that it uses BGP with
community tagging
• VRF routes be copied into inet.0 using RIB groups
• Non-VPN routes be matched against the main routing table using
the next-table operation
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 23
Accessing the Public Internet: Option 3.x
Internet
Option 3.x:
•Central CE device sends Internet/default routes to remote
sites
•Remote sites access both VPN and Internet using their
single VRF interface
•Central CE device turns Internet packets around and sends
them to PE router over a non-VRF interface
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 24
Internet Access Support
Summary:
•Internet access through a non-VRF interface (PE router has
no Internet routes)
• Options 1.1 and 1.2
•Internet access through a VRF interface (PE router has some
or all Internet routes)
• Options 2.1, 2.2, and 2.3
• Uses a default route in VRF table that points to next-table inet.0
• Routes in inet.0 cannot point back to a VRF table
• RIB groups are required to install VPN routes into inet.0 so that
return traffic can be routed correctly to CE device
• Can use a single PE-CE VRF interface
•Central CE device providing Internet access (Option 3.x)
•In all cases, the CE device must use globally assigned IP
addresses for Internet traffic
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 25
Layer 3 VPNs—
Advanced Topics
VRF-A VRF-B
VPN-A/B VPN-B/A
Routes Routes
CE-A CE-B
VPN-A VPN-B
Hub
CE
ge-0/0/0.0 4 ge-0/0/0.1
3
Spoke Hub PE Hub
VRF VRF
Target: Target:
Spoke Hub
2 5
Hub
CE
4 3
ge-0/0/0.0 ge-0/0/0.1
5 2
Private Addresses
PE
ge-0/0/1
2 ge-0/0/0
CE PE-1
HK 1
21/24 1 lo0: 192.168.16.1
A
172.20.0/24
L3VPN
L2VPN VPLS ?
(unicast only)
Note: Legacy draft-Rosen L3VPN multicast scheme does not conform to this model.
1.1.1.1 224.7.7.7 M-cast Data 192.168.16.1 239.1.1.1 1.1.1.1 224.7.7.7 M-cast Data 1.1.1.1 224.7.7.7 M-cast Data
SA DA GRE-SA GRE-DA SA DA SA DA
L3VPN
IPTV
(unicast and L2VPN VPLS ?
multicast)
• MVPN membership
autodiscovery
• Autodiscovery for selective RR RR
provider tunnels
• Customer PIM join message PE5 PE2
conversion
• Active sources
PE3
• PE routers might need only PE4
Terms
•PMSI : Type of tunnel to use to transport multicast data
across the provider core (also called provider tunnel)
• RSVP point to multipoint LSPs
• Provider instance PIM distribution trees (similar to draft-Rosen)
• MLDP
•I-PMSI
• Multidirectional: All PEs in a MVPN can transmit multicast packets
to all other PEs participating in MVPN
• Unidirectional: Enables only a particular PE to transmit multicast
packets to other PEs
•S-PMSI
• A particular PE can transmit multicast packets to a subset of PEs
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 8
Next-Generation MVPN BGP
Advertisements
Next-generation MVPN routes use the MCAST-VPN NLRI
format
• AFI 1/SAFI 5
• Routes tagged with correct route target community are
placed into the bgp.mvpn.0 and Type routing-
Length Route Type Specific
instance.mvpn.0 table (1 bytes) (1 bytes) (variable length)
MPLS label that receiving PE should RSVP Session ID for RSVP point to
expect as an inner label for incoming multipoint LSPs
MVPN traffic (0 = No label)
P2
P1
PE5 PE2
PE4 PE3
draft-Rosen
PE5 PE2
PE4 PE3
PE-3 CE
C-RP C
lo0: 192.168.2.2
PE-2
CE
Provider Core B
OSPF Area 0 lo0: 192.168.2.1
P1 P2
C-DR
CE PE-1
AS 65512
A 1 lo0: 192.168.6.1
C-RP
PE-3 CE
lo0: 192.168.2.2 C
5:192.168.6.1:1:32:10.0.101.2:32:224.7.7.7
PE-2
CE
Provider Core B
OSPF Area 0 lo0: 192.168.2.1
10.0.101.2
P1 P2
C-DR
CE PE-1
AS 65512
A 1 lo0: 192.168.6.1
PE-3 CE
C-RP C
lo0: 192.168.2.2
PIM Registers
CE
Provider Core PE-2 B
OSPF Area 0 lo0: 192.168.2.1
10.0.101.2
P1 P2
C-DR Receivers
CE PE-1
AS 65512
A 1 lo0: 192.168.6.1
PE-3 CE
C-RP C
lo0: 192.168.2.2
PE-2
CE
Provider Core B
OSPF Area 0 lo0: 192.168.2.1
S-IP=10.0.101.2
P1 P2
C-DR Receivers
CE PE-1
AS 65512
A 1 lo0: 192.168.6.1
PE-3 CE
C-RP C
lo0: 192.168.2.2
PE-3 CE
C-RP C
lo0: 192.168.2.2
CE
Provider Core PE-2 B
OSPF Area 0 lo0: 192.168.2.1
P1 P2
C-DR
CE PE-1
AS 65512
A 1 lo0: 192.168.6.1
PE-3 CE
C-RP C
lo0: 192.168.2.2
5:192.168.6.1:1:32:10.0.101.2:32:224.7.7.7
PE-2
CE
Provider Core B
OSPF Area 0 lo0: 192.168.2.1
10.0.101.2
P1 P2
C-DR
CE PE-1
AS 65512
A 1 lo0: 192.168.6.1
PE-3 CE
C-RP C
lo0: 192.168.2.2
PIM Registers
PE-2
CE
Provider Core B
OSPF Area 0 lo0: 192.168.2.1
10.0.101.2
P1 P2
C-DR Receiver
CE PE-1
A 1 lo0: 192.168.6.1 AS 65512
PE-3 CE
C-RP lo0: 192.168.2.2 C
4 4:3:192.168.6.1:1:0:0.0.0.0:32:224.7.7.7:192.168.6.1:192.168.2.1 2
PIM (S,G) Join Customer PIM domain
Customer PIM domain
PE-2 CE
Provider Core B
3 OSPF Area 0 lo0: 192.168.2.1
10.0.101.2
P1 P2
C-DR Receiver
CE PE-1
AS 65512
A 1 lo0: 192.168.6.1
PE-3 CE
C-RP lo0: 192.168.2.2 C
Junos OS supports:
•Provider Tunnel Types
• RSVP Inclusive Trees
• RSVP Selective Trees
• PIM–ASM Tunnels
• PIM-SSM Tunnels
• Data MDT Tunnels
•PIM features
• PIM Sparse Mode
• PIM Dense Mode
• Auto-RP
• Bootstrap Protocol
MVPN settings
[edit routing-instances mcast-pe-vrf]
user@pe1# set protocols mvpn ?
Possible completions:
…
> autodiscovery-only Use MVPN exclusively for PE router autodiscovery
> mvpn-mode MVPN mode of operation
receiver-site MVPN instance has sites only with multicast receivers
> route-target Configure route-targets for MVPN routes
sender-site MVPN instance has sites only with multicast sources
> traceoptions Trace options for BGP-MVPN
unicast-umh-election Upstream Multicast Hop election based on unicast route
preference
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 33
View VRF PIM Status
Group: 224.7.7.7
Source: 10.0.101.2
Flags: sparse
Upstream interface: ge-1/0/9.251
Upstream neighbor: 10.0.50.2
Upstream state: Local RP, Join to Source
Keepalive timeout:
Downstream neighbors:
Interface: Pseudo-MVPN
Group: 224.7.7.7
Source: 10.0.101.2/32
Upstream interface: ge-1/0/9.251
Session description: Unknown
Statistics: 139 kBps, 263 pps, 532482 packets
Next-hop ID: 3638
Upstream protocol: MVPN
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: forever
Wrong incoming interface notifications: 0
Family: INET6
1:192.168.2.1:65535:192.168.2.1/240
*[BGP/170] 18:13:11, localpref 100, from 192.168.2.1
AS path: I
> to 172.22.250.2 via ge-1/0/4.250, Push 299888
1:192.168.2.2:65535:192.168.2.2/240
*[BGP/170] 18:26:13, localpref 100, from 192.168.2.2
AS path: I
> to 172.22.250.2 via ge-1/0/4.250, Push 299808
7:192.168.6.1:5:65512:32:10.0.101.2:32:224.7.7.7/240
*[BGP/170] 00:18:13, localpref 100, from 192.168.2.1
AS path: I
> to 172.22.250.2 via ge-1/0/4.250, Push 299888
1:192.168.2.1:65535:192.168.2.1/240
*[BGP/170] 18:13:29, localpref 100, from 192.168.2.1
AS path: I
> to 172.22.250.2 via ge-1/0/4.250, Push 299888
1:192.168.2.2:65535:192.168.2.2/240
*[BGP/170] 18:26:31, localpref 100, from 192.168.2.2
AS path: I
> to 172.22.250.2 via ge-1/0/4.250, Push 299808
1:192.168.6.1:5:192.168.6.1/240
*[MVPN/70] 00:41:29, metric2 1
Indirect
5:192.168.6.1:5:32:10.0.101.2:32:224.7.7.7/240
*[PIM/105] 18:23:21
Multicast (IPv4)
7:192.168.6.1:5:65512:32:10.0.101.2:32:224.7.7.7/240
*[PIM/105] 00:18:31
Multicast (IPv4)
[BGP/170] 00:18:31, localpref 100, from 192.168.2.1
AS path: I
> to 172.22.250.2 via ge-1/0/4.250, Push 299888
•CE device:
• Layer 2 and Layer 3 independent of the service provider network
• Normally the same Layer 2 technology used at both ends of a VPN
•PE routers:
• Maintain and exchange VPN-related information with other PE
routers
• Use MPLS LSPs to carry VPN traffic between PE routers
•P routers:
• Forward VPN traffic transparently over established LSPs
• Do not maintain VPN-specific forwarding information
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6
VPN Forwarding Tables
CE-A
Site 1 PE-1 PE-2 CE-C
VPN-B
Site 2
P P VPN-B
CE-B
Site 1 PE-3 CE-D
VPN-A
Site 4
P P VPN-A
CE-A CE-C
Site 1 Site 2
VPN-A VRF VRF VPN-B
NLRI
PE-1 PE-2
CE-B CE-D
VRF P1 P2 VRF
Site 1 Site 4
VPN-B MP-BGP Session VPN-A
CE-A CE-C
Site 1 Site 2
VPN-A VRF VRF VPN-B
PE-1 PE-2
CE-B CE-D
VRF P1 P2 VRF
Site 1 Site 4
VPN-B MP-BGP Session VPN-A
Site ID 4
Note: CE-E and CE-F are not shown
4
Label Range
Inner TX
PE-1 PE-2
Sub-Int IDs CE-B CE-D
Label P1 P2
Site 1 VRF VRF Site 4
150 5020 VPN-B VPN-A
265 9350
414 1000 Label used to reach CE-D
Inner TX Outer TX
Sub-Int IDs
Label Label
150 5020
265 9350
414 1000 500 LSP label to PE-2
CE-A CE-C
Site 1 Site 2
VPN-A mpls.0 VPN-B
PE-1 PE-2
CE-B CE-D
P1 P2
Site 1 mpls.0 Site 4
VPN-B VPN-A
DLCI 63
Packet
Supported encapsulations:
•Frame Relay
•ATM AAL5
•ATM SNAP
•ATM Transparent Cell Mode
•Ethernet
•Ethernet VLAN
•Cisco HDLC
•PPP
•IP-only interworking
(bits) 0 n
1 ...
Layer 2 NLRI with updated CSV
Layer 2 information:
•Control flags indicate:
• If sequencing is required
• Whether the Martini control word is required
•MTU field describes the VPN’s MTU
• All members of a VPN must use the same MTU, as mismatched
MTU causes NLRI to be ignored
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 32
Layer 2 VPN Configuration Overview
[edit policy-options]
user@R1# show
...
policy-statement export-vpn-a {
term 1 {
then {
community add vpn-a;
accept;
}
}
term 2 {
then reject;
}
}
community vpn-a members target:65512:101;
[edit policy-options]
user@R1# show
...
community vpn-a members target:65512:101;
encapsulation-type ethernet-vlan;
site CE-A {
site-identifier 1;
interface ge-1/0/4.512; Default remote site identifier = site 2
interface ge-1/0/4.513; Default remote site identifier = site 3
. . .
l2vpn {
encapsulation-type ethernet-vlan;
site CE-A {
site-identifier 1;
interface ge-1/0/4.512; (Default RSI = 2)
interface ge-1/0/4.513; (Default RSI = 3)
. . .
Site C
CE-C
lo0 192.168.11.3
CE-A CE-C
Site 1 Site 3
VPN-A VPN-B
PE-1 PE-2
CE-B CE-D
P1 P2
Site 2 Site 4
VPN-B LDP Session VPN-A
(Extended)
PE-1’s Advertised Label
PE-2’s Inner Label
Core
20/8 VLAN 75
30/8 VLAN 82 75
82
Provider Core
Site 1 OSPF Area 0 Site 2
OSPF Area 0 OSPF Area 0
R1 R2 R3
Site 1 .1 .1 .2 .2 .1 .2 Site 2
10.0.10.0/24 172.22.210.0/24 172.22.212.0/24 10.0.10.0/24
CE-A PE P PE CE-B
lo0 192.168.11.1 lo0 192.168.1.1 lo0 192.168.1.3 lo0 192.168.11.2
CCC caveats:
•VLAN tagging at physical interface
• VLAN 0-511 allowed on unit for standard 802.1Q VLAN tagging
• VLAN 512-4094 are the only valid VLAN IDs for CCC encapsulation
•Frame Relay: Encapsulates frame-relay-ccc at physical
interface
• DLCI 1-511 allowed on unit for normal Frame Relay
• DLCI 512-1022 on unit is CCC Frame Relay
•Layer 2 switching cross-connect: PPP and HDLC must be
unit 0
•ATM: Cannot configure family on unit if atm-ccc-vc-mux
encapsulation is set
PE
P P CE
CE VPN A
VPN A
Site 2
Site 1
VLAN
VLANs
PE CE VPN A
VLAN
PE VLAN Site 4
VPN A CE
Site 3
PE CE VPN A
VPN A Site 4
CE PE
Site 3
Benefits:
•Auto-discovery
• Provision VPNs as a whole versus building them circuit by circuit
•Scalable protocol
• Meant to handle lots of routes
• Route reflectors/confederations for hierarchy
• Designed to work across autonomous systems
•Mechanisms to provide all VPNs types via Multiprotocol BGP
(MP-BGP, RFC 2858)
•CE device:
• Ethernet used at both ends of a VPN
•PE routers:
• Maintain and exchange VPN-related information with other PE
routers
• Performs MAC learning function
• Use MPLS LSPs to carry VPN traffic between PE routers
•P routers:
• Forward VPN traffic transparently over established LSPs
• Do not maintain VPN-specific forwarding information
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6
Provisioning the Local CE Device
CE-D's Routing Table
In Out VLANs
CE-D
10/8 VLAN 512 512
Core
20/8 VLAN 513
30/8 VLAN 514 513
514
CE-A CE-C
Site 1 Site 2
VPN-A VPN-B
PE-1 PE-2
CE-B CE-D
P1 P2
Site 1 Site 4
VPN-B MP-BGP Session VPN-A
VPN B CE-1
MP-IBGP Session CE-2 VPN B
PE-1 PE-2
Site 1 Site 2
VRF VRF
CE-3 CE-4
VPN A VRF VRF
VPN A
Site 1 Site 2
PE Provisioning
•VPLS routing instance
•Route Target BGP community
•Site ID: Unique value in the context of a VPLS
•Site range: Maximum number of CE devices
to which it can connect
• Label base: Label assigned to the first sub-interface ID—the PE
router reserves n contiguous labels, where n is the CE device range
•Remote sites: Learned dynamically (described later)
• The PE router forwards frames to the remote sites using the labels
learned via MP-IBGP
•Layer 2 encapsulation on VPN interfaces must be VPLS
Site ID (2 Bytes)
VPLS NLRI for each VPLS Label Block Offset (2 Bytes)
instance in which it participates Label Base (3 Bytes)
Preference (2 Bytes)
•Encapsulation Type is VPLS (19)
•Control Flags - 2 bits used
• C-bit – Control word must be used if set to 1
• S-bit – Sequenced delivery of frames is necessary if set to 1
• All zeros by default
•Layer 2 MTU
•Preference – Used to specify the preference of the local site
• Value is also copied to BGP local preference by default
CE-A1 CE-A4
VPN A VRF VRF
VPN A
Site 1 VLAN
VLAN Site 4
600
600
PE-1’s NLRI for Site 1 PE-2’s VPLS MAC FT for VPN A
R-Target RT1 MACs learned Outer Inner Rx PE-2’s NLRI for Site 4
Site ID 1 from remote site Tx Label Tx Label Label R-Target RT1
Range 8 Advertised Site ID 4
1 200 2003 1000
Label base 2000 using L2 VPN Range 8
2 1001
Label Offset 1 AFI and SAFI Label base 1000
3 1002 Label Offset 1
CE-3 CE-4
VPN A VPN A
Site 1 Site 2
PE-1’s Advertised Label
PE-2’s Inner Label
PFE 3
Remote CE’s MAC is 2
learned (if not already
IP II
known) and placed in vt-0/2/0.32768
forwarding table
4
Echo Requests
Echo Replies
PE-2 CE-A2
CE-A1 VPN A
VPN A Site 2
Site 1 PE-1
CE-A2
CE-A1 VPN A
VPN A Site 2
Site 1 PE-1
PE-3
lo0 192.168.11.3
Network characteristics:
•CE interface addressing is 10.0.12/24 (except loopbacks)
•IGP is single-area OSPF
•RSVP signaling between PE devices, LSPs established
between PE routers (CSPF not required)
•Full MP-IBGP mesh between PE routers, loopback peering,
l2-vpn signaling NLRI
•Ethernet VPLS between CE-A, CE-B, and CE-C (VLAN 515)
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 2
PE Interface Configuration
ge-1/0/5 { PE1’s Gibabit Ethernet
vlan-tagging; configuration from sample
encapsulation vlan-vpls;
unit 515 { topology with vlan-
encapsulation vlan-vpls; tagging enabled
vlan-id 515;
family vpls;
}
}
ge-0/0/1 {
encapsulation ethernet-vpls;
unit 0 {
Sample Gigabit Ethernet with
family vpls; no VLAN tagging
}
}
lo0 192.168.11.3
lo0 192.168.11.3
[edit]
user@PE1# set routing-instances vpn-a protocols vpls label-block-size ?
Possible completions:
<label-block-size> Label block size for this VPLS instance (2..16)
[edit]
user@PE1#
}
}
Policer can be used to control
[edit]
the flood packet volume
user@PE1# show firewall
policer BUM { •That covers all Unknown Dst
if-exceeding {
bandwidth-limit 100k; MAC address frames/
}
burst-size-limit 15k;
Bcast MAC frames/
then discard; Mcast MAC frames
}
family vpls {
filter BUM-fw {
Be careful on what to limit
term term1 {
then policer BUM;
(routing update packets
}
} between the CEs)
}
Instance: vpn-a
Local interface: vt-1/0/10.1049600, Index: 68
Remote PE: 192.168.2.2
Broadcast packets: 3
Broadcast bytes : 180
Multicast packets: 0
Multicast bytes : 0
Flooded packets : 0
Flooded bytes : 0
Unicast packets : 15
Unicast bytes : 1530
Current MAC count: 1
Local interface: ge-1/0/4.515, Index: 78
Broadcast packets: 321
Broadcast bytes : 19260
Multicast packets: 0
Multicast bytes : 0
Flooded packets : 0
Flooded bytes : 0
Unicast packets : 42343
Unicast bytes : 4316382
Current MAC count: 1 (Limit 1024)
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 31
Label Block Advertisements
View the BGP routes in the VPLS VRF
user@PE1> show route table vpn-a extensive
PE P PE
ASBR CE CE ASBR
LSP
Global Addressing Global Addressing
Interprovider VPN model
Provider 1 Provider 2 Customer
Customer
Site 1 Site 2
External External
Customer Customer
VPN VPN
Site 1 Service Site 2
Routes Routes
Provider A
PE P PE
PE-C1 CE-1 CE-2 PE-C2
LSP (ASBR)
(ASBR)
LSP LSP
Private Private
Addressing Addressing
EBGP
VPN A
SP 1 SP 2 VPN A
Site 1 Site 2
EBGP
SP 1 MP-EBGP
VPN A SP 2 VPN A
Site 1 Site 2
EBGP
EBGP Session with
labelled-unicast
VPN A
SP 1 SP 2 VPN A
Site 1 Site 2
PE-1 PE-2
P
ASBR-1 CE-1 CE-2 ASBR-2
LSP
Service provider routers:
•P routers maintain only provider internal routes
•PE routers maintain provider internal and customer internal
routes
• PE routers do not carry customer external routes
Customer routers:
•CE routers maintain internal routes and external routes
learned from their customers
•ASBRs interface to downstream subscribers to exchange
internal routes (subscriber internal = customer external)
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 7
Carrier of Carriers: Signaling
MP-IBGP 7
EBGP Multihop
Session Site 2 Internal Route Label 101 External
3 Route x
External Service
Route Provider To Site 1
Customer Site 1 Customer Site 2
x AS=64512 (EBGP) 6
AS=11 External
AS=10
8 Route x
PE-1 PE-2 From
P 2
ASBR-1 CE-1 4 CE-2 ASBR-2 Subscriber
MP-EBGP 30 LSP MP-EBGP
5 1
IBGP Site 2 Internal Site 2 Internal IBGP
Route Label 200 Route = x
Site 2 Internal Route Label 300
Sample network:
•AS 65512 provides carrier-of-carrier services to its
customers in AS 10 and AS 11
• LSP established between PE routers
•Policy exists on CE routers to advertise /32 loopback
addresses to provider
• EBGP with labeled-unicast NLRI between CE and PE routers
•ASBR-1 and ASBR-2 routers establish a multihop EBGP
session to advertise external routes (200.0.0/24)
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 10
Carrier-of-Carriers ASBR-2 Configuration
•Customer PE-to-PE:
user@pe-1> traceroute 192.168.12.4 source 192.168.12.3
traceroute to 192.168.12.4 (192.168.12.4) from 192.168.12.3, 30 hops max, 40
byte packets
1 10.0.50.1 (10.0.50.1) 0.510 ms 0.391 ms 0.361 ms
MPLS Label=299856 CoS=0 TTL=1 S=1
2 10.0.20.1 (10.0.20.1) 0.383 ms 0.379 ms 0.373 ms
MPLS Label=300208 CoS=0 TTL=1 S=1
3 * * *
4 * * *
5 10.0.21.2 (10.0.21.2) 0.606 ms 0.478 ms 0.466 ms
MPLS Label=299792 CoS=0 TTL=1 S=1
6 192.168.12.4 (192.168.12.4) 0.477 ms 0.475 ms 0.457 ms
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 27